Share via

Give user access to Azure File Share without Azure AD DS

Mark Galvin 6 Reputation points
2021-05-14T13:06:16.62+00:00

Hi

Setting up a client with Azure File Share for the centralised storage of PST files.

We have setup the Storage Account and the File Share.

We can use the 'Storage account key' Authentication Method to mount the file share, create folders & files etc. We are not able to see who created or edited those folders & files.

If we change to the 'Active Directory' Authentication Method we see this 'Identity-based access is not configured for this storage account. Learn more'. 'Learn More' takes us to https://learn.microsoft.com/en-gb/azure/storage/files/storage-files-active-directory-overview which states:
"Azure Files supports identity-based authentication over Server Message Block (SMB) through on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS). ".

The client has no on-prem AD and is not using Azure AD DS.

Is there any other, supported method of giving users permissions to the File Share and folders inside?

Thanks
Mark

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,223 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mark Galvin 6 Reputation points
    2021-05-14T18:43:45.943+00:00

    Just logged onto the clients Azure portal and realised that I would need to create Storage Accounts for each separately secure File Share as I can only set the IAM on the Storage Account and not the File Shares.

    1 person found this answer helpful.
    0 comments
  2. Amjad Nagori 286 Reputation points
    2021-05-14T18:27:42.59+00:00

    There are couple of methods you can use to provide access to users-

    1. Provide them Storage Account Access Key and they can use it to access File Share with rights on all folders and sub folders.
    2. PowerShell connect script from Share to connect it and it will also persistent and save creds to user profile level and he/she will not be asked to put credential again and can access all the folders and files.

    Both of these methods are insecure as they contains Storage account access key.

    Apart from that you can use Windows Credential Manager, whenever we are using PowerShell script to access share it saves credential in Control Panel - Credential manager to persist it, which is user profile based, so if you want to provide access without sharing Access Key then export this Credential Manager profile from one user and share with another one who can import it without getting information of Access Key.

  3. Mark Galvin 6 Reputation points
    2021-05-14T18:39:06.117+00:00

    Thanks for coming back to me.

    If the client needed to have the ability to secure folders within the FileShare, say:
    Folder 1 - Directors
    Folder 2 - HR
    Folder 3 - All users
    As well as have the ability to report on what user changed the PST last, can this only be achieved with deploying Azure AD DS?

    I suppose that we could have 3 separate File Shares and using IAM Roles from Azure AD (not Azure AD DS) and lock it down that way would be on the way to achieving the above.

    Thanks
    Mark

    0 comments